SimpleRisk a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time. SimpleRisk is truly Enterprise Risk Management simplified. [0]

Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) have been discovered within SimpleRisk version 20130915-01 leading to complete account compromise. The CSRF vulnerability is used to deliver the XSS payload which accesses the authenticated user's session cookies and transmits them to a third-party domain under the attacker's control. Once the attacker has the user's session cookie, the attacker can authenticate to the application as the user.

5. *Vulnerable Packages*

Only version 20130915-01 was tested which was the latest version at the time of writing.

The prioritize_planning.php page accepts user supplied input via the new_project POST parameter and then later outputs that data to the page without first being sanitised or encoded. The following code was used to inject JavaScript into the application's back-end database.

. Add the httponly flag to the session cookie so that JavaScript's document.cookie can not access it. [3]
. Set the Content Security Policy (CSP) header to whitelist where JavaScript is allowed to be loaded from. [4]
. Set the X-XSS-Protection header to ensure the browser's XSS filtering is enabled. (only works for reflected XSS) [5]